Daily Drop (1113)
08-18-25
Monday, Aug 18, 2025 // (IG): BB // GITHUB // SN R&D
Turkey Develops Arida-M Naval Drone System to Counter Kamikaze USVs
Bottom Line Up Front (BLUF): Turkey is advancing the Arida-M Counter-Kamikaze USV system, designed to intercept and neutralize hostile naval drones and explosive-laden boats. Developed by Anadolu Robotik and Sekizaltmiş Teknoloji, the program integrates detection, electronic warfare, and interception capabilities to defend ships, ports, and coastal infrastructure from asymmetric maritime threats.
Analyst Comments: Turkey’s Arida-M reflects a shift toward layered, autonomous defenses that combine swarm tactics, AI-driven targeting, and modular design. If successful, it will strengthen Turkey’s naval posture, provide export opportunities, and set a precedent for cost-effective anti-drone warfare at sea. The program could also encourage rival states to fast-track their counter-USV technologies, escalating the naval drone arms race.
FROM THE MEDIA: Anadolu Robotik unveiled the Arida-M at SAHA EXPO 2024, with development beginning in October 2024 and sea trials launching in May 2025. The system has two core components: Arida-T, a command-and-control unit equipped with EO/IR sensors, hydrophones, radar, and a 30 km-range jammer; and Arida-M Muhafiz USVs, small explosive-laden interceptors capable of autonomous navigation, harsh sea operations, and ramming enemy drones. The phased rollout includes live detonation tests scheduled for late 2026. Designed for modularity and emission-controlled operations, Arida-M aims to counter kamikaze drones, drifting mines, and small craft, complementing Turkey’s existing ULAQ USV family and reinforcing maritime security against asymmetric threats.
READ THE STORY: National Interest
Iranian Military Adviser Warns of Renewed War With Israel, Calls for Stronger Cyber and Drone Strategy
Bottom Line Up Front (BLUF): A senior military adviser to Iran’s Supreme Leader, Yahya Rahim Safavi, stated that Iran is “not in a ceasefire” and must prepare for another potential war with Israel or the U.S. Safavi emphasized the need to enhance Iran’s missile, drone, and cyber offensive capabilities to counter the West’s “peace through power” approach.
Analyst Comments: Safavi’s remarks underscore Tehran’s strategic pivot toward integrating cyber and unmanned systems with its traditional missile arsenal, reflecting lessons from the June–July conflict with Israel. Iran’s framing of the situation as an ongoing “stage of war” signals continued readiness for asymmetric escalation, primarily through cyberattacks and drone swarms targeting Israeli critical infrastructure. The emphasis on cyber capabilities suggests Tehran views digital warfare as a cost-effective equalizer against Israel’s technological and military superiority. This rhetoric may also serve as deterrence messaging for domestic audiences and foreign adversaries.
FROM THE MEDIA: He urged the Islamic Republic to expand its “diplomatic, media, missile, drone, and cyber offensive strategy.” His comments follow Iran’s retaliatory launch of more than 500 ballistic missiles and over 1,100 drones during the June 12-day war, which caused significant damage and displacement in Israel. Iranian Foreign Minister Abbas Araghchi also threatened in July to respond “more decisively” if Israel or the U.S. strikes Iran again. Meanwhile, Israeli Prime Minister Benjamin Netanyahu vowed to attack if Iran attempts to rebuild its nuclear program. The escalating rhetoric highlights the fragile post-war environment and the potential for renewed hostilities.
READ THE STORY: Times of Israel
PipeMagic Malware Delivered via Microsoft Help Index Files, Exploits Windows CLFS Zero-Day
Bottom Line Up Front (BLUF): The campaign exploits CVE-2025-29824, a Windows Common Log File System (CLFS) zero-day patched in April 2025, allowing privilege escalation and post-compromise activity linked to ransomware groups like Storm-2460.
Analyst Comments: PipeMagic’s modularity—supporting credential dumping, AMSI evasion, and encrypted communication via named pipes—positions it as a versatile tool for ransomware operators and espionage groups. The linkage to Azure-based C2 servers suggests adversaries increasingly blend cloud infrastructure abuse with traditional malware campaigns. Organizations that delayed patching CVE-2025-29824 remain at high risk, and the observed persistence and lateral movement techniques indicate that attackers aim for long-term access.
FROM THE MEDIA: The malware now uses obfuscated C# loaders in .mshi files to decrypt RC4- and AES-encrypted payloads, communicate through dynamically generated named pipes, and hijack legitimate DLLs such as googleupdate.dll. Modules discovered by Kaspersky include AMSI patchers, credential theft via renamed ProcDump, .NET payload loaders, and advanced I/O handling for persistence. Microsoft confirmed the underlying CVE-2025-29824 vulnerability was patched in April, but exploitation continues against unpatched systems. Indicators of compromise include Azure-hosted C2 domains, specific MD5 hashes for loader files, and pipe naming conventions.
READ THE STORY: GBhackers
ERMAC v3 Android Banking Trojan Source Code Leaked, Infrastructure Exposed
Bottom Line Up Front (BLUF): The source code of ERMAC v3, an advanced Android banking trojan, has leaked online, exposing backend, frontend, exfiltration servers, and builder tools used by operators. Researchers at Hunt.io uncovered the archive in March 2024, revealing significant opsec failures that allowed mapping of live C2 infrastructure and administrative panels. The leak may improve detection, but it also risks spawning modified variants.
Analyst Comments: On the other hand, cybercriminals can adopt and adapt the leaked source code, potentially leading to more resilient and evasive ERMAC variants. With the malware targeting over 700 apps—including banking, shopping, and cryptocurrency platforms—its public availability could accelerate financial fraud campaigns, especially by less sophisticated threat actors who now have access to turnkey malware infrastructure.
FROM THE MEDIA: The Trojan includes a PHP-based command-and-control (C2) backend, React operator panel, Go-based exfiltration server, Kotlin backdoor, and a builder for creating custom APKs. Compared to earlier versions, ERMAC v3 expanded to target 700+ applications and added capabilities such as SMS theft, Gmail extraction, call forwarding, file exfiltration, fake push notifications, app management, and photo capture. Investigators found significant security lapses in the infrastructure, including default root credentials and unsecured admin panels, which exposed active C2 endpoints and builder deployments. While the leak undermines customer trust in ERMAC’s malware-as-a-service model, security experts warn it could also fuel the creation of harder-to-detect derivatives.
READ THE STORY: Bleeping Computer
Over 870 N-able N-central Servers Remain Unpatched Against Actively Exploited Flaws
Bottom Line Up Front (BLUF): More than 870 internet-exposed N-able N-central instances remain vulnerable to CVE-2025-8875 (insecure deserialization) and CVE-2025-8876 (command injection), both of which are under active exploitation. Despite patches released on August 13, many self-hosted deployments are still unprotected, prompting urgent warnings from CISA and security researchers.
Analyst Comments: Exploitation could enable attackers to escalate privileges and pivot into downstream customer systems, multiplying the potential damage. The fact that these vulnerabilities were likely zero-days before disclosure underscores the need for aggressive patch management and real-time monitoring of RMM solutions. With exploitation confirmed, the unpatched instances represent an ongoing systemic risk, particularly in the U.S. and allied countries.
FROM THE MEDIA: The Shadowserver Foundation has tracked more than 870 unpatched N-able N-central instances exposed to the internet as of August 17, 2025. N-able disclosed the flaws on August 13 in version 2025.3 of its RMM platform but provided limited technical details. The vulnerabilities were immediately added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, with federal agencies ordered to patch by August 20. While N-able confirmed limited exploitation of self-hosted instances, its hosted cloud environments remain unaffected. Shadowserver data shows the highest concentration of vulnerable deployments in the U.S. (367), followed by Canada (92), the Netherlands (84), Australia (74), and the U.K. (72). Given N-central’s role in MSP ecosystems, attackers exploiting these flaws could gain indirect access to thousands of downstream customers.
READ THE STORY: Security Week
Noodlophile Malware Expands Globally Using Copyright Phishing Lures and Telegram-Based C2
Bottom Line Up Front (BLUF): The Noodlophile information-stealing malware has expanded operations across the U.S., Europe, the Baltics, and APAC, using spear-phishing emails disguised as copyright infringement notices. The campaign leverages Dropbox-hosted installers, DLL sideloading with Haihaisoft PDF Reader, and Telegram-based dead drop resolvers to evade detection.
Analyst Comments: By adopting copyright infringement lures—already proven effective by other malware families—the operators increase their social engineering success rate. Integrating Telegram as a C2 layer complicates takedown efforts and adds resilience to the campaign. Given Noodlophile’s active development and planned features like keylogging, file encryption, and screenshot capture, it could soon evolve from a data stealer into a hybrid infostealer-ransomware threat, raising risks for enterprises with large social media footprints.
FROM THE MEDIA: The emails contain Dropbox links to ZIP or MSI installers, which sideload malicious DLLs via Haihaisoft PDF Reader to launch the malware. Before execution, persistence is established through Windows Registry scripts. The stealer uses Telegram group descriptions as dead drop resolvers, redirecting victims to payload servers like paste[.]rs. This attack chain combines LOLBin abuse (e.g., certutil.exe), obfuscation, and in-memory execution to evade traditional defenses. Current capabilities include browser credential theft, system reconnaissance, and process monitoring, with further functions under development.
READ THE STORY: THN
WarLock Claims Responsibility for Colt Cyberattack, Exploits SharePoint Zero-Day
Bottom Line Up Front (BLUF): WarLock has claimed responsibility for a cyberattack against Colt Technology Services, leaking salary, contract, and infrastructure data, and offering one million internal documents for $200,000. The attack leveraged CVE-2025-53770, a Microsoft SharePoint zero-day vulnerability recently patched but still widely exposed. Colt reports that customer-facing systems remain unaffected, though recovery efforts continue.
Analyst Comments: Using a SharePoint zero-day highlights how attackers continue exploiting enterprise collaboration platforms as initial access vectors. WarLock’s focus on monetizing sensitive internal data rather than immediately deploying ransomware suggests a blended extortion and cybercrime model. While Colt states customer data is safe, the exposure of network architecture and development environment details could aid future intrusions. Telecom companies remain prime targets because of their critical infrastructure role and connectivity to multiple organizations, making this incident a warning for the sector to accelerate patch cycles and isolate collaboration tools.
FROM THE MEDIA: The attackers reportedly exploited CVE-2025-53770, a ToolShell remote code execution flaw in Microsoft SharePoint, which remains a risk for unpatched servers despite recent security updates. Colt confirmed the cyberattack to BleepingComputer and stated that only internal systems were affected, while its customer portal, Colt Online, and Voice API platform remain offline. Authorities have been notified, and Colt is working with external security experts on recovery. No ransom demand has been confirmed at this time.
READ THE STORY: TechZine
CISA Issues Critical OT Asset Inventory Guide to Strengthen Infrastructure Cybersecurity
Bottom Line Up Front (BLUF): CISA and international partners released the OT Cybersecurity Fundamentals: Asset Inventory Guide for Owners and Operators. The guidance provides a structured framework for cataloging and classifying operational technology (OT) assets in critical infrastructure sectors to improve defenses against rising cyberattacks on ICS, SCADA, and PLC environments.
Analyst Comments: By emphasizing taxonomies, asset criticality classification, and integration with MITRE ATT&CK for ICS, CISA is attempting to bridge the gap between IT and OT security. The focus on real-time monitoring and vulnerability management indicates regulators expect asset owners to adopt continuous rather than periodic security practices. Over time, widespread adoption could improve resilience across energy, water, and manufacturing sectors, but resource-constrained operators may face challenges implementing the whole framework.
FROM THE MEDIA: Developed with input from 14 organizations across energy and water sectors, the framework encourages asset classification into zones and conduits under ISA/IEC 62443. The guidance highlights 14 key asset attributes for collection, such as MAC/IP addresses, protocols, OS versions, and user accounts. It suggests aligning inventory management with CISA’s Known Exploited Vulnerabilities (KEV) catalog. Organizations are also advised to cross-reference inventories with the MITRE ATT&CK Matrix for ICS and deploy real-time monitoring of process variables like temperature and flow to detect abnormal activity.
READ THE STORY: Red Hot Cyber
Ukraine Sanctions Russian, Chinese, and Belarusian Firms Over AI-Driven Drone Tech Supply
Bottom Line Up Front (BLUF): President Zelensky signed a decree imposing sweeping sanctions on 55 companies and 39 individuals from Russia, China, and Belarus involved in supplying drone and AI technologies to Russia. The sanctions aim to disrupt critical components of Russia’s growing drone warfare industry, particularly those using dual-use and artificial intelligence capabilities.
Analyst Comments: Including Chinese and Belarusian firms signals Kyiv's growing frustration with tacit support from countries outside the immediate warzone. The sanctions also aim to message global suppliers that aiding Russia’s war tech will have long-term reputational and economic consequences. If Ukraine can coordinate similar restrictions with its Western partners, it could significantly slow Russia’s drone development momentum.
FROM THE MEDIA: Ukraine’s Presidential Office announced new sanctions on August 17 targeting 94 entities, including Russian drone developers like Zala Aero, Smart Birds, and Vostok Design Bureau, as well as research institutes Neurolab and the Center for Unmanned Systems and Technologies. The sanctions extend to Chinese and Belarusian companies supplying dual-use technologies such as electronics and AI systems. The measures include asset freezes, bans on trade and technology transfers, and long-term blacklisting from public procurement. According to The Kyiv Independent, these efforts are part of a broader push to align Ukrainian restrictions with those of international partners. Ukraine's concerns have grown over reports, such as one from Reuters, highlighting China's support in helping Russia produce its Garpiya-A1 combat drones.
READ THE STORY: The Kyiv Independent
China Revives Oblique Wing Design for Hypersonic Drone Mothership Concept
Bottom Line Up Front (BLUF): Chinese aerospace engineers are developing a new hypersonic drone platform based on the long-abandoned "oblique wing" or "scissor wing" design. Leveraging AI, innovative materials, and modern simulation tools, the system could act as a high-speed drone mothership capable of swarm deployment at near-space altitudes and speeds up to Mach 5.
Analyst Comments: If technical hurdles are overcome, such a platform could become a game-changing strategic asset, capable of penetrating contested airspace, delivering swarms, and returning autonomously. The platform's theoretical speed and altitude—reaching 30 km—could outpace many current air defense systems, placing critical infrastructure at greater risk. However, extreme mechanical and thermal stresses continue to pose a significant barrier to operational viability.
FROM THE MEDIA: Unlike traditional variable-geometry wings, the oblique wing pivots a single wing across the fuselage to optimize performance at different flight speeds. The Chinese design incorporates AI-driven aerodynamic simulations, smart materials, and real-time stress monitoring systems to counter historical design flaws. Engineers propose that the vehicle could act as a drone "mothership," releasing up to 18 autonomous drones while traveling at Mach 5 and flying at altitudes of 30 km. However, immense engineering challenges remain, particularly with pivot shaft integrity under extreme heat and vibration. Experts stress the need for redundancy and fail-safe systems to ensure operational reliability.
READ THE STORY: IE
Items of interest
China Unveils Fleet of New Combat Drones Ahead of September 3 Military Parade
Bottom Line Up Front (BLUF): China is set to showcase at least five new stealthy air combat drones—including designs resembling the U.S. XQ-58A Valkyrie and MQ-28 Ghost Bat—during its upcoming September 3 military parade. These drones, part of a broader push for Collaborative Combat Aircraft (CCA) and Uncrewed Combat Aerial Vehicles (UCAVs), reflect China's ongoing expansion and modernization of unmanned warfare capabilities.
Analyst Comments: The similarities to existing American drone designs raise questions about espionage or reverse-engineering. While some of these systems may be mockups or prototypes, China's demonstrated ability to field formerly speculative designs, such as the GJ-11, means that many platforms could see deployment within the next 5–10 years. These developments could shift the regional airpower balance, particularly concerning Taiwan and maritime control in the Indo-Pacific.
FROM THE MEDIA: Recent imagery confirms that China will unveil several advanced drones at the September 3 military parade marking the 80th anniversary of victory over Japan in World War II. Among them is a drone resembling the FH-97, which closely mirrors the U.S.-made XQ-58A Valkyrie and two larger tailless drones featuring delta-wing configurations. These airframes align with a broader Chinese strategy to develop Collaborative Combat Aircraft (CCA) similar to U.S. Air Force initiatives. Satellite imagery suggests additional drones, including potential naval variants, are also being prepared. China’s Aerospace Times Feihong Technology Corporation, the entity behind the FH-97, previously unveiled the FH-97A—visually similar to Boeing’s MQ-28 Ghost Bat. Beyond drones, the parade will feature new missile types, uncrewed ground vehicles, and unmanned underwater assets, further underscoring China’s rapid push into multi-domain autonomous warfare.
READ THE STORY: TWZ
Netanyahu Promises Iran Water Aid In Exchange For Regime Change (Video)
FROM THE MEDIA: Prime Minister Benjamin Netanyahu called on the Iranian people to oppose their regime in exchange for help with the country's water crisis. “The moment your country is free, Israel’s top water experts will flood into every Iranian city, bringing cutting-edge technology and know-how. We will help Iran recycle water, we’ll help Iran desalinate water,” Netanyahu said.
Iranian President Is In A Very Difficult Situation "We Have No Water Left" (Video)
FROM THE MEDIA: Iran's water crisis has reached critical levels as President Pezeshkian warned Tehran that it could run dry by October. With rainfall down 45% during the worst drought in sixty years, decades of mismanagement have transformed a natural disaster into a national catastrophe. Dam reserves are just 42% capacity nationwide, while the capital faces imminent shortages.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.